Last Comment Bug 719605 - Malicious "Peliculas-flv" add-on
: Malicious "Peliculas-flv" add-on
Status: RESOLVED FIXED
[Read comment #15 before posting!]
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-19 14:39 PST by MarkH
Modified: 2016-03-07 15:30 PST (History)
11 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
20120119 peliculas.zip (904.31 KB, application/octet-stream)
2012-01-19 14:39 PST, MarkH
no flags Details

Description MarkH 2012-01-19 14:39:21 PST
Created attachment 590000 [details]
20120119 peliculas.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Steps to reproduce:

User encouraged to visit peliculas-flv.com

User told they need to install something to see videos


Actual results:

Downloaded add-on from:
http://cinetube.bligoo.com/media/users/4/216477/files/27183/peliculas-flv03.xpi
http://cinetube.bligoo.com/media/users/4/216477/files/27183/peliculas-flv03.crx

install.rdf has http://www.peliculas-flv.com as the homepage

Loads content/script-compiler-overlay.xul, which loads:

content/defined in content/xmlhttprequester.js
content/prefman.js
content/script-compiler.js

content/script-compiler.js does some checks to see if it's on a preferred list of sites, including http://www.facebook.com/, if so, it injects 'content/cuevanastream.js'

content/cuevanastream.js injects a <script> tag that loads http://www.peliculas-flv.com/plugins/servers/pflv.js?vs=3.0

plfv.js checks to see if the users is on facebook.com, youtube.com, or google.com, if so, it injects another <script> that loads http://www.peliculas-flv.com/plugins/servers/infolinks.js

infolinks.js injects a <script> tag to load http://resources.infolinks.com/js/infolinks_main.js

infolinks_main.js is packed JS, which injects another script tag to load: http://www.peliculas-flv.com/plugins/servers/prueva.js

Prueva.js injects an add from http://www.pornito.net/

Uses it's own XHR (defined in content/xmlhttprequester.js), to get in the browser security context and do cross-site requests

Also injects an iframe in with legit Facebook ads

The attached zip contains the xpi, screenshots, and all of the remote JS files referenced above.



Expected results:

It should actually help play videos, not inject ads into third-party sites' DOM.
Comment 1 Jorge Villalobos [:jorgev] 2012-01-19 15:52:55 PST
Id: {a3a5c777-f583-4fef-9380-ab4add1bc2a8}
Comment 2 Jorge Villalobos [:jorgev] 2012-01-19 15:59:07 PST
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i53

Thanks!
Comment 3 Sebastian Gomez 2012-01-19 18:27:08 PST
Excuse me, but you made a mistake, this extension shouldn't be blocked. Here is the deal: The cuevana extension is legit. Their site is cuevana.tv, and it's one of the best movie sites out there, The guys actually took the job of creating Chrome/Firefox extensions to automate the job of megaupload/rapidshare/etc download, adding subs, etc. It's widely used in many countries, and it's specially popular in Argentina, where it has MILLIONS OF USERS. 

Recently, it's been attacked heavily by the usual copyright trolls, saying it was illegal. In Argentina, it's not illegal to LINK to copyrighted content, and as cuevana doesn't host anything, they are in the clear, at least for now. 

Obviously peliculas-flv and many other sites are piggybacking on cuevana's success, but the original cuevana extension is legit, and it only adds ONE advertisement while the movie is loading (and that one is easily blocked with adblock plus). You can learn about cuevana here: http://thenextweb.com/la/2011/11/25/is-the-argentine-online-video-website-cuevana-the-new-napster/

Or just google it, the site is legit, and it's not malware. 

They are even trying to add LEGAL content now (i.e, content that doesn't violate anyone's copyright). Source: http://www.rapidtvnews.com/index.php/2011122318272/cuevana-premieres-first-legally-uploaded-movie.html
Or just check cuevana.tv, the movie is featured on the front page. 

Some MAJOR media corporations have been threatening cuevana and spreading ****. Blocking their plugin is helping those guys, and can prove more effective than SOPA at doing so ;)
Source: http://www.rapidtvnews.com/index.php/2011111917181/telefe-threatens-with-legal-action-against-cuevana.html
http://articles.cnn.com/2011-12-13/americas/world_americas_argentina-movie-site_1_escobar-s-cnn-free-content?_s=PM:AMERICAS


Please remove the cuevana's extension block. 

Regards, 
Sebastian.
Comment 4 Sebastian Gomez 2012-01-19 18:31:02 PST
Edit: 

The plugin you where trying to block was downloaded from:

http://cinetube.bligoo.com/media/users/4/216477/files/27183/peliculas-flv03.xpi
http://cinetube.bligoo.com/media/users/4/216477/files/27183/peliculas-flv03.crx

That domain is UNRELATED to cuevana. 

Cuevana's XPI md5sum is: 86b122dc9bc0b8d05207061587697b6f
cinetube's XPI md5sum is:38e06ef6765c63b837d01ff35c8c65c0

So, please just unblock cuevana. 

Thanks, 
Sebastian.
Comment 5 Juliet Williams 2012-01-19 19:01:24 PST
I agree and support everything Sebastian said.
Censorship of Cuevanaa is a big mistake. And you should be careful about the erroneous sources of information.
Million of regular users of Mozilla are also users of Cuevana and want to continue using it.
Please remove the cuevana's extension block ASAP.

Thanks,
Julieta
Comment 6 Jose 2012-01-19 19:31:49 PST
You made a mistake, you are trying to use a plugin downloaded from other site, cuevana has nothing to do with [B] Cinetube [\B] please remove the block, otherwise you will make ppl use another programs to access it, this is my Browser, but if you start denying access to the pages that we daily use, ppl wont have other choice but to change browsers, and I really don't want that.
If you guys get into Cuevana.tv you could see that they have complains about ppl that confused, used the plugin from the page you are talking (http://cinetube.bligoo.com/media/users/4/216477/files/27183/peliculas-flv03.xpi) 
and they have nothing to do with them.
Thanks
Comment 7 rvaldesdep 2012-01-19 20:03:27 PST
cuevana it is the most importante movie broadcasting here en south amarica, if you dont work for SOPA, please remove the block, or everybody will be star to use Safari o Explorer, youre choice....( really, you made a big mistake.!!!.)
Comment 8 MarkH 2012-01-19 20:52:05 PST
As the Cuevana reps have already mentioned, we were reporting the version being served from www.peliculas-flv.com / cinetube.bligoo.com, not the one associated with Cuevana.

If someone from Cuevana could post a link here to their legit add-on, I think we can get to the bottom of the problem.  My guess is the bad actors used the same ID, a3a5c777-f583-4fef-9380-ab4add1bc2a8, as the legit version does, causing the inadvertant block of both the spammy add-on *AND* the legit one from Cuevana.
Comment 9 Julio Varela 2012-01-19 21:10:17 PST
This is a mistake..  the Malicious "Peliculas-flv" add-on is from another website.. not from cuevana.
Comment 10 Justin Scott [:fligtar] 2012-01-19 21:12:14 PST
Removed the block until this can be investigated.
Comment 11 Justin Scott [:fligtar] 2012-01-19 21:14:44 PST
Please file these bugs in Blocklisting component in the future.
Comment 12 Juan 2012-01-19 21:36:51 PST
Im still getting the block... how i solve this or when the changes are going to be applied?

This is the link to the plugin
http://www.cuevana.tv/player/plugins/cstream-3.1.5.xpi
Comment 13 Juan 2012-01-19 21:49:18 PST
Please Jorge Villalobos [:jorgev] delete above comment, after reading (didnt know, and didnt want my email showing here)
Comment 14 manuel 2012-01-19 21:52:34 PST
I fully support what people are stating here. Cuevana.tv is not a malicious site, nor his plugins. please remove the block!!
Comment 15 Jorge Villalobos [:jorgev] 2012-01-20 07:44:24 PST
I have reinstated the block to match the version number of the malicious XPI, which is 2.0.3. The current Cuevana XPI has version 3.1.5, so current versions should be unaffected by this new block.

Both Cuevana and Peliculas-FLV use the same id, which is the reason Cuevana was accidentally blocked. We only intended to block Peliculas-FLV, which behaves maliciously.

The Cuevana add-on should be eventually unblocked for everyone, but if you want to reinstate it as soon as possible, just locate your profile folder, delete file blocklist.xml, and then restart Firefox.
Comment 16 José Augusto Linárez Ferrer 2012-01-20 09:55:50 PST
Que clase de broma ridicula es esta? ustedes no pueden bloquear una extensión como esta, en todo caso somos los usuario de Firefox lo que deberiamos tener derecho de instalarlo o no, acaso se les olvido cual supuestamente es el horizonte de este navegador? Les pregutno seriamente, piensan coartar las libertades en la internet al igual otros grandes de la red? No nos decepcionen que pudiera costarles caro, es hora de la verdad.
TRADUCCIÓN (CON GOOGLE OBVIO) / TRANSLATION (WITH GOOGLE OBVIOUS):
What kind of ridiculous joke is this? you can not lock an extension like this, in any case we are what Firefox user should have the right to install it or not, maybe they forgot which supposedly is the horizon of this browser? I ask seriously, think restricting freedoms in the internet like the other major network? It could cost us dearly disappointed that it's time for truth.
Comment 17 MarkH 2012-01-20 10:02:47 PST
Jorge,

Thanks for getting to the bottom of this.  Any way we can prevent the inadvertent block of legit add-ons, when the malicious one has pirated their ID?
Comment 18 Jorge Villalobos [:jorgev] 2012-01-20 10:10:35 PST
(In reply to José Augusto Linárez Ferrer from comment #16)
> Que clase de broma ridicula es esta? ustedes no pueden bloquear una
> extensión como esta...

Favor leer el comentario #15, usando Google si es necesario.


(In reply to Mark Hammell from comment #17)
> Jorge,
> 
> Thanks for getting to the bottom of this.  Any way we can prevent the
> inadvertent block of legit add-ons, when the malicious one has pirated their
> ID?

I just need to be more careful researching the IDs associated to the add-ons we block, to check if we need to narrow down the block parameters. This can be very difficult for add-ons not hosted on AMO, though, and problems like these are bound to arise on occasion.
Comment 19 MatíasFernandez 2012-01-20 10:17:53 PST
REMOVE DE BLOCK! 

NO MORE FIREFOX CENSORED! Chrominium ruls **** YOU FIREFOX
Comment 20 MarkH 2012-01-20 11:05:37 PST
Jorge - Yep, seems like an inadvertent mistake to me.  One that Justin and I postulated on when these things first started ramping up.  I'd have thought a check of AMO is safe to prevent most of these.  Unfortunately, I can't find the legit Cuevana add-on in in AMO :(
Comment 21 Jorge Villalobos [:jorgev] 2012-01-20 11:18:01 PST
***** POR FAVOR LEAN ESTE COMENTARIO ANTES DE ESCRIBIR *****

Este bug se creó para bloquear un complemento llamado Peliculas-FLV, que tiene código malicioso y que puede causar problemas para sus usuarios.

Lamentablemente, Peliculas-FLV utiliza el mismo ID que Cuevana (el cual NO queremos bloquear), y por eso los usuarios de Cuevana se vieron afectados por el bloqueo. Una vez que descubrimos nuestro error, el bloqueo se revertió, y actualmente solo aplica a la version 2.0.3, que corresponde a Peliculas-FLV. La version actual de Cuevana es 3.1.5, así que actualmente no está afectada por el bloqueo.

Si su Firefox actualizó la lista de bloqueo durante el tiempo que estaban bloqueadas todas las versiones, es posible que todavía tengan Cuevana bloqueado. El problema se va a arreglar una vez que Firefox actualice la lista de nuevo, que debería suceder en menos de 24 horas. Si desean actualizar la lista cuanto antes, sigan las siguientes instrucciones:

1) Cerrar Firefox
2) Ubicar su perfil: http://support.mozilla.org/es/kb/Perfiles
3) Remover el archivo blocklist.xml

Eso debería forzar al Firefox a actualizar la lista de bloqueo en el siguiente inicio.

***** POR FAVOR LEAN ESTE COMENTARIO ANTES DE ESCRIBIR *****
Comment 22 Jose 2012-01-20 11:39:08 PST
Muchas gracias al equipo de Mozilla Firefox por escuchar nuestras quejas y trabajar en consonancia con lo que siempre ha sido la mistica de este excelente Browser. Two Thumbs Up
Comment 23 José Augusto Linárez Ferrer 2012-01-20 13:07:49 PST
Hey Jorge agradecido por la rápida solución al inconveniente, tendrás que comprender que los ánimos están sensibles y caldeados luego del cierre a megaupload, desecho esa idea terrible que me paso por la mente de dejar de usar el mejor navegador...: Firefox. Sigan así.

(In reply to Jorge Villalobos [:jorgev] from comment #21)
> ***** POR FAVOR LEAN ESTE COMENTARIO ANTES DE ESCRIBIR *****
> 
> Este bug se creó para bloquear un complemento llamado Peliculas-FLV, que
> tiene código malicioso y que puede causar problemas para sus usuarios.
> 
> Lamentablemente, Peliculas-FLV utiliza el mismo ID que Cuevana (el cual NO
> queremos bloquear), y por eso los usuarios de Cuevana se vieron afectados
> por el bloqueo. Una vez que descubrimos nuestro error, el bloqueo se
> revertió, y actualmente solo aplica a la version 2.0.3, que corresponde a
> Peliculas-FLV. La version actual de Cuevana es 3.1.5, así que actualmente no
> está afectada por el bloqueo.
> 
> Si su Firefox actualizó la lista de bloqueo durante el tiempo que estaban
> bloqueadas todas las versiones, es posible que todavía tengan Cuevana
> bloqueado. El problema se va a arreglar una vez que Firefox actualice la
> lista de nuevo, que debería suceder en menos de 24 horas. Si desean
> actualizar la lista cuanto antes, sigan las siguientes instrucciones:
> 
> 1) Cerrar Firefox
> 2) Ubicar su perfil: http://support.mozilla.org/es/kb/Perfiles
> 3) Remover el archivo blocklist.xml
> 
> Eso debería forzar al Firefox a actualizar la lista de bloqueo en el
> siguiente inicio.
> 
> ***** POR FAVOR LEAN ESTE COMENTARIO ANTES DE ESCRIBIR *****

Note You need to log in before you can comment on or make changes to this bug.